OAUTH2是一种安全的授权框架,其原理在网上有许多文章上可以看到。但从实践角度,好的文章比较少。SpringSecurity框架本身是支持OAUTH2的,所以下面通过使用SpringSecurity框架做个DEMO,从代码级别体验下OAUTH2。
还是先创建一个SpringBoot的项目,然后添加相应的依赖(可以看出springCloud对oatuth2已经有了很好的支持)
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<spring-security-oauth2-autoconfigure.version>2.1.0.RELEASE</spring-security-oauth2-autoconfigure.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>${spring-security-oauth2-autoconfigure.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
</dependencies>
添加启动类
@SpringBootApplication
@EnableAuthorizationServer //这个注解也是根据Springcloud的惯例进行添加
public class AuthorizationApp
{
public static void main( String[] args )
{
SpringApplication.run(AuthorizationApp.class, args) ;
}
}
至于application.yml文件暂时啥都没配,启动 AuthorizationApp 实例后,在8080默认端口启动了web服务,按着对OAUTH协议的理解,这样应该是启动了OAUTH2的authorizagion server。
下面先分析下,会加载哪些配置:
一. 由@EnableAuthorizationServer注解引出的配置
查看@EnableAuthorizationServer注解源码,如下:
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Import({AuthorizationServerEndpointsConfiguration.class, AuthorizationServerSecurityConfiguration.class})
public @interface EnableAuthorizationServer { }
可以看到其导入了两个配置类 :AuthorizationServerEndpointsConfiguration , AuthorizationServerSecurityConfiguration
根据@EnableAuthorizationServer的注释可知,这个authorization server暴露出两个http endpoint给我们调用,分别是 /oauth/authorize (实现类AuthorizationEndpoint)和 /oauth/token (实现类TokenEndpoint)
二. 自动配置类 OAuth2AutoConfiguration
这是由 依赖的spring-security-oauth2-autoconfigure导入的,OAuth2AutoConfiguration的源码
@Configuration
@ConditionalOnClass({ OAuth2AccessToken.class, WebMvcConfigurer.class })
@Import({ OAuth2AuthorizationServerConfiguration.class,
OAuth2MethodSecurityConfiguration.class, OAuth2ResourceServerConfiguration.class,
OAuth2RestOperationsConfiguration.class })
@AutoConfigureBefore(WebMvcAutoConfiguration.class)
@EnableConfigurationProperties(OAuth2ClientProperties.class)
public class OAuth2AutoConfiguration { private final OAuth2ClientProperties credentials; public OAuth2AutoConfiguration(OAuth2ClientProperties credentials) {
this.credentials = credentials;
} @Bean
public ResourceServerProperties resourceServerProperties() {
return new ResourceServerProperties(this.credentials.getClientId(),
this.credentials.getClientSecret());
} }
由源码可知,又引入了几个配置类:
OAuth2AuthorizationServerConfiguration.class,
OAuth2MethodSecurityConfiguration.class,
OAuth2ResourceServerConfiguration.class,
OAuth2RestOperationsConfiguration.class
从以上分析来看,似乎有两套配置参与了OAuth2的使用,究竟是哪一套在起作用,还是两套在合作着起作用呢,请看后续分析。